Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Management firewall policy does not work without AFM module for version 15.1.2.1 #279

Closed
rukshanpk opened this issue Nov 4, 2021 · 3 comments
Closed

Management firewall policy does not work without AFM module for version 15.1.2.1 #279

rukshanpk opened this issue Nov 4, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@rukshanpk
Copy link

Environment

  • Declarative Onboarding Version: 1.25.0
  • BIG-IP Version: 15.1.2.1

Summary

The big IP with the version 15.1.2.1 cannot add mgmt api firewall rules using terraform without provisioning AFM module.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
{
    "schemaVersion": "1.25.0",
    "class": "Device",
    "async": true,
    "label": "my BIG-IP declaration for declarative onboarding",
    "Common": {
        "class": "Tenant",
        "mySystem": {
            "class": "System",
            "preserveOrigDhcpRoutes": true,
            "hostname": "${bigip_hostname}",
            "cliInactivityTimeout": 1500,
            "consoleInactivityTimeout": 1200,
            "autoPhonehome": false
        },
...
       "firewallAddressList1": {
            "class": "FirewallAddressList",
            "addresses": [
                "10.10.0.0/16",
                "10.20.33.0/24"
            ]
        },
        "firewallAddressList2": {
            "class": "FirewallAddressList",
            "addresses": [
                "0.0.0.0/0"
            ]
        },
        "firewallPortList1": {
            "class": "FirewallPortList",
            "ports": [
                "1-65535"
            ]
        },
        "firewallPortList2": {
            "class": "FirewallPortList",
            "ports": [
                443
            ]
        },
        "managementIpFirewall": {
            "class": "ManagementIpFirewall",
            "label": "Example of all management IP firewall properties",
            "remark": "management IP firewall description",
            "rules": [
                {
                    "name": "mgmt_api_allow",
                    "label": "management api access allow rule",
                    "remark": "management api access allow rule",
                    "action": "accept",
                    "protocol": "tcp",
                    "loggingEnabled": true,
                    "source": {
                        "addressLists": [
                            "/Common/firewallAddressList1"
                        ],
                        "portLists": [
                            "/Common/firewallPortList1"
                        ]
                    },
                    "destination": {
                        "addressLists": [
                            "/Common/firewallAddressList2"
                        ],
                        "portLists": [
                            "/Common/firewallPortList2"
                        ]
                    }
                },
                {
                    "name": "mgmt_api_reject",
                    "label": "management api access reject rule",
                    "remark": "management api access reject rule",
                    "action": "reject",
                    "protocol": "tcp",
                    "loggingEnabled": true,
                    "source": {
                        "addressLists": [
                            "/Common/firewallAddressList2"
                        ],
                        "portLists": [
                            "/Common/firewallPortList1"
                        ]
                    },
                    "destination": {
                        "addressLists": [
                            "/Common/firewallAddressList2"
                        ],
                        "portLists": [
                            "/Common/firewallPortList2"
                        ]
                    }
                }
            ]
        },
  1. Observe the following error response:
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 4m10s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 4m20s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 4m30s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 4m40s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 4m50s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m0s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m10s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m20s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m30s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m40s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 5m50s elapsed]
    bigip_do.gns-do_lbr01: Still modifying... [id=a0c35615-e566-40dd-8def-25ec44eaab68, 6m0s elapsed]
    ^CStopping operation...
    ....
    Response from the declaration verification,
    {
    "code": 422,
    "message": "request failed with null exception",
    "referer": "10.111.133.139",
    "restOperationId": 7589034,
    "kind": ":resterrorresponse"
    }

Expected Behavior

For the version 15.1.2.1 the management api firewall rules should be able to be added without the AFM module.

Actual Behavior

Rules are getting added only when the AFM module is provisioned.
@rukshanpk rukshanpk added bug Something isn't working untriaged Issue needs to be reviewed for validity labels Nov 4, 2021
@rukshanpk rukshanpk mentioned this issue Nov 5, 2021
Closed
@dstokesf5
Copy link
Contributor

Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-2850.

@dstokesf5 dstokesf5 removed the untriaged Issue needs to be reviewed for validity label Jan 28, 2022
@Otimun
Copy link

Otimun commented May 17, 2022
edited
Loading

I am experiencing the same problem but in version 15.1.4. even with simply adding the portlist. I dont see another way of adding the mgmt ip firewall without adding a port. Code I use:

    "$schema":"https://raw.githubusercontent.com/F5Networks/f5-declarative-onboarding/master/src/schema/latest/base.schema.json",
    "schemaVersion": "1.29.0",
    "class": "Device",
    "async": true,
    "Common": {
        "iquery_portlist": {
            "class": "FirewallPortList",
                "ports": [4353]
        },
        "ha_portlist": {
            "class": "FirewallPortList",
            "ports": [1026]
        },
        {
                    "name": "HA",
                    "action": "accept",
                    "protocol": "udp",
                    "destination": {
                        "portLists": ["/Common/ha_portlist"]
                    }  
                },
                "ManagementIpFirewall": {
                    "class":"ManagementIpFirewall",
                    "rules": [
                        {
                            "name": "HA",
                            "action": "accept",
                            "protocol": "udp",
                            "destination": {
                                "portLists": ["/Common/ha_portlist"]
                            }  
                        },
                        {
                            "name": "iQuery",
                            "action": "accept",
                            "protocol": "tcp",
                            "destination": {
                                "portLists": ["/Common/iquery_portlist"]
                            }  
                        }
                }
        }
}

module.f5.bigip_do.declarative_onboarding: Creating...
module.f5.bigip_do.declarative_onboarding: Still creating... [10s elapsed]
module.f5.bigip_do.declarative_onboarding: Still creating... [20s elapsed]
module.f5.bigip_do.declarative_onboarding: Still creating... [30s elapsed]
module.f5.bigip_do.declarative_onboarding: Still creating... [40s elapsed]
module.f5.bigip_do.declarative_onboarding: Still creating... [50s elapsed]
module.f5.bigip_do.declarative_onboarding: Still creating... [1m0s elapsed]

│ Error: Error while reading the response body :map[class:Result code:202 errors:[One of the following features must be licensed/provisioned for the URI security/firewall/port-list : afm cgnat dos asm] message:invalid config - rolling back status:ROLLING_BACK]

│ with module.f5.bigip_do.declarative_onboarding,
│ on ../modules/f5/bigip.tf line 11, in resource "bigip_do" "declarative_onboarding":
│ 11: resource "bigip_do" "declarative_onboarding" {

@dstokesf5
Copy link
Contributor

This issue has been resolved with the 1.30.0 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Otimun @dstokesf5 @rukshanpk